Ok guys let me clear this upfront. I haven’t tested this method yet, but by the looks of it, there is no reason why it shouldn’t work. If you have just got a new iPhone 4 or iPhone 3GS (new bootrom) which is on iOS 4.0.2, you can now downgrade to iOS 4.0.1 without having your SHSH blobssaved. This will of course allow you to jailbreak and unlock your new iPhone with JailbreakMe, and patch it with PDF Patch so that you are safe from PDF vulnerability in iOS 4.0.1.

Today I found something that the iPhone Devs told me "impossible". I also spoke with iH8Snow, telling me that this sounds impossible. He also mentioned to me and one of my beta testers that this is possible if you allowed Cydia to store your SHSH/Blobs since Cydia will cache your firmware along the way.

Well, I’m pretty sure I proved them wrong.

So the story is that I have possession of clean (never before jailbroken) iDevices, and I managed to downgrade one of them and upgrade one of them to iOS 4.0.

The step by step instructions for downgrading new iPhone 4 and iPhone 3GS without having SHSH blobssaved are posted below. Follow them at your own risk. I am not responsible for any loss of data, or malfunction of your iPhone.

Step 2: Extract it with WinRAR or WinZip to a folder on the desktop. You may need to rename the firmware file from .ipsw to .zip to do this.

Step 3: Open the buildmanifest.plist with the Notepad if you are on Windows, or TextWrangler if you are on Mac.

Search and replace all – 8A306 with 8A400. Save. Repeat the same with the file restore.plist.

Step 4: Download iOS 4.0.2 ipsw from here and open this with WinRAR or WinZip.

Note: Do not extract it. Just open it and leave it open. You must use this exact file and not create a new one. If you have to create a new one for reasons like you are on OS X, then use zip command line not explorer or finder to make the zip. I will assume you are using the original file opened in WinRAR for the rest of this guide.

Step 5: Take all the files from iOS 4.0.1 and drag them over to the iOS 4.0.2 zip archive that you have open.

Step 6: Delete all the .dmg files that have 002 at the end, leaving only the 001 files left.

Step 7: Save the archive, and rename it back to .ipsw if you changed the name to get WinRAR/WinZip to open it.

Step 8:Optional (This helps ensure you get an SHSH file request for the future, but should not be necessary to just restore iOS 4.0.1). Add the 74.208.10.249 gs.apple.com line to the host file. If you need help with this step, read Step 3 from here.

Once you are done with the jailbreak, you can follow our step by step guide posted here to unlock your iPhone on iOS 4.x, on any baseband using Ultrasn0w. [via PwnMyI Forums, Thanks to everyone for sending this in!]

UPDATE 1: Ok guys, I know I took a little long to provide this update but this was because I was thoroughly testing this method to see if it really works. After trying it out on my iPhone 4, 3GS, iPod touch and iPad, I can confirm that this at least didn’t worked for me. But then again I got lots of messages from Twitter and email from users who said that they got it working on iPhone 3GS and all. But at least in all my tests, it didn’t work for me even on an iPhone 3GS.

After searching around for a bit, I came to the conclusion that those who reported of this method being working for them had at some point in past saved their SHSH files on Cydia, it was just that they didn’t knew about it which resulted in irrupting false hopes for many. I wont go as far as calling this method as fake, it was just that people unknowingly didn’t knew that the device which they were trying to downgrade using this method already had SHSH blobs saved on Cydia. Notcom explains this on his blog:

There is much discussion on many blogs about a potential means of downgrading iOS 4.0.2 to 4.0.1 by simply changing a couple values in the buildmanifest.plist and copying all of the images from 4.0.1 into 4.0.2 and then deleting the files ending with 002. Following all of this, perform a DFU restore and somehow you will be on 4.0.1. There is a perfectly logical explanation for all of this and I will lay out exactly what is happening and explain why it is working for the folks that are the lucky ones. Let me get this out first.

Let me start by explaining something very important. The buildmanifest is used by iTunes to build much of the TSS request that is used to obtain your SHSH for any given firmware revision. Unfortunately, the BuildNumber has no part to play in the request for SHSH. All that you ended up doing in following these directions is request 4.0.1 SHSH blobs.THAT IS ALL. Since every single one of you that got this to work changed your hosts file to point to Cydia, Cydia responded to the TSS request with an SHSH blob that was ALREADY "on-file". There was no magic. There was no miracle, apart from the lucky break that your device had been put on Cydia’s SHSH request list at some time in the distant past. That’s it in a nutshell folks. There was no amazing technique for bypassing Apple’s TSS. There was no amazing exploit that exists in DFU mode allowing for 4.0.2 -> 4.0.1 downgrading. It’s simple; Cydia had your SHSH because at sometime in the past either:

Someone saved your SHSH with that device using TinyUmbrella and the default options

Someone restored that device with Cydia in the hosts pointing to gs.apple.com

Same here just bought my iPhone 4 and it came already upgraded to 4.0.2 anyone have a working downgrade?

Piseth27

BADMAN666 : can you link your modified firmware for everybody if you got it to work.
Thanks

Piseth27

BADMAN666 : can you link your modified firmware for everybody if you got it to work.
Thanks

Piseth27

sorry but it doesnt work for me ! i think you have an iphone that use to save shsh with cydia already. as you also point the file to cydia server for your shsh.
When did you get your new phone and where did you get it from?

Piseth27

sorry but it doesnt work for me ! i think you have an iphone that use to save shsh with cydia already. as you also point the file to cydia server for your shsh.
When did you get your new phone and where did you get it from?

Piseth27

i just got iphone 4g from apple store with 4.0.2 out of box. DEFINITELY not WORKING ! i try for like 3 days already

personally i did this on a mac and didnt get it but on windows u need winrar to take the files u extracted from 4.0.1 and put them in to 4.0.2, once done, u must change host , after that u try to restore with u changed ipsw and it works =),

Neilparmar1

personally i did this on a mac and didnt get it but on windows u need winrar to take the files u extracted from 4.0.1 and put them in to 4.0.2, once done, u must change host , after that u try to restore with u changed ipsw and it works =),

Matthew Steele

I have Vista where does the 8A400 file go ?? i put in DFU mode but when i restore its downloading a fresh IOS>??

avalvaz

Can any one please put a link to ios 4.0.1 for the (Ipod touch 3gs).

Badboy_2k11

nah pal its from o2 and it was not jailbroken before

AGearHead4Life

You have to hold shift while clicking restore. The 8A400 file goes in the two files listed to replace the 8A306 file.

AGearHead4Life

You have to hold shift while clicking restore. The 8A400 file goes in the two files listed to replace the 8A306 file.

AGearHead4Life

You have to hold shift while clicking restore. The 8A400 file goes in the two files listed to replace the 8A306 file.

Hey I have also new Iphone 4 with sw 4.0.2.
If you get video, can u share with me mehdipur@gmail.com
I really need help to downgrade my phone and jailbreak…
Thx.

Cagatay

Hey I have also new Iphone 4 with sw 4.0.2.
If you get video, can u share with me mehdipur@gmail.com
I really need help to downgrade my phone and jailbreak…
Thx.

degdeg

At the end I can t downgrade -_- , an error …

Ledemari

Well looks all people that bought the iphone 4s with 4.0.2 need to be patient and be happy u get a beatifull paper weight…..
Ah u can use the phone as an ipod…. Sad…
Anyone were able to downgrade? Please I´m quite desesparate already!

Got it to work for the ipod touch 3g 8gb all you need to do is use 2g ipod touch firmware.download 4.0.2 file for 2g and 4.0.2 for 2g also.and for the ipod replacew 8A293 with 8A400.from there its the sdame process

iphone3gs

it work man!! u rock!

Anonymous

Okay this works!!! The first time i did this i was getting the errors, but the second time I add the host file thing and IT WORKED. MY PHONE HAS NEVER BEEN JAIL BROKEN! so my shsh blobs are not saved anywhere. BUT THIS WORKS!

Genezis_shadow

_______HOW TO_______ !!! READ !!!

ITS WORKING !!! brand new iphone out of box (3GS 32gb).

whole problem why this did not work was about apple verification.
all you have to do is to edit HOST FILE before you restore ipsw, than it works !!!!

Jeliciano4

What model do u have?

LT

Works like a charm :] Thanks for the guide , it really works , you just neeed to follow the instructions carefully , no need for the ShSHM Blob shit…

Gnpavl

What do you mean with this -> Step 10: Now simply open iTunes and restore the firmware you changed. How i will do that? I have the changed 4.0.2 firmware saved on my desktop…now what? Thank you!

Shahedhussain26

I have bought a new iphone 3GS (iOS 4.0.2) New bootrom, never been jailbroken. Followed the method above and it worked like a charm !

Thanks for this awesome guide !!!

Jon

I did all the steps exactly as described, but it didn’t work for me. “The iPhone “iPhone” could not be restored. An unknown error occurred (3194)” Wasted a few hours doing this